@payclaw/badge 0.7.1 → 0.8.0

package/dist/verify.js

@@ -0,0 +1,161 @@
+/**
+ * verify() — merchant-side Badge JWT verification.
+ *
+ * Import: `import { verify } from '@payclaw/badge/verify'`
+ *
+ * Fetches PayClaw's JWKS once, caches it, verifies ES256 signature locally.
+ * Returns decoded identity or null. Never throws.
+ * Works in Node.js 18+ and Cloudflare Workers (Web Crypto API only).
+ * Zero runtime dependencies.
+ */
+let jwksCache = null;
+let jwksCacheUri = null;
+// ── Helpers ──
+function base64urlDecode(str) {
+    const padded = str.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = "=".repeat((4 - (padded.length % 4)) % 4);
+    const binary = atob(padded + padding);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function decodeJWT(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        return null;
+    try {
+        const header = JSON.parse(new TextDecoder().decode(base64urlDecode(parts[0])));
+        const payload = JSON.parse(new TextDecoder().decode(base64urlDecode(parts[1])));
+        const signatureBytes = base64urlDecode(parts[2]);
+        const signedPart = `${parts[0]}.${parts[1]}`;
+        return { header, payload, signatureBytes, signedPart };
+    }
+    catch {
+        return null;
+    }
+}
+async function importJWK(jwk) {
+    try {
+        return await globalThis.crypto.subtle.importKey("jwk", { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y }, { name: "ECDSA", namedCurve: "P-256" }, false, ["verify"]);
+    }
+    catch {
+        return null;
+    }
+}
+async function fetchJWKS(uri) {
+    const keys = new Map();
+    let res;
+    try {
+        res = await fetch(uri, { signal: AbortSignal.timeout(5000) });
+    }
+    catch (e) {
+        console.warn("[PayClaw verify] JWKS fetch failed:", e);
+        return keys;
+    }
+    if (!res.ok) {
+        console.warn(`[PayClaw verify] JWKS fetch returned ${res.status}`);
+        return keys;
+    }
+    let data;
+    try {
+        data = await res.json();
+    }
+    catch {
+        console.warn("[PayClaw verify] JWKS response is not valid JSON");
+        return keys;
+    }
+    // Extract signing_keys[] from UCP profile or keys[] from standard JWKS
+    const rawKeys = (Array.isArray(data.signing_keys) ? data.signing_keys :
+        Array.isArray(data.keys) ? data.keys :
+            []);
+    for (const jwk of rawKeys) {
+        if (typeof jwk.kid !== "string" || jwk.kty !== "EC" || jwk.crv !== "P-256")
+            continue;
+        const cryptoKey = await importJWK(jwk);
+        if (cryptoKey)
+            keys.set(jwk.kid, cryptoKey);
+    }
+    return keys;
+}
+async function getCachedKeys(uri, cacheTtlMs) {
+    const now = Date.now();
+    if (jwksCache && jwksCacheUri === uri && (now - jwksCache.fetchedAt) < cacheTtlMs) {
+        return jwksCache.keys;
+    }
+    const keys = await fetchJWKS(uri);
+    if (keys.size > 0) {
+        jwksCache = { keys, fetchedAt: now };
+        jwksCacheUri = uri;
+    }
+    return keys;
+}
+// ── Main ──
+const DEFAULT_JWKS_URI = "https://payclaw.io/.well-known/ucp";
+const DEFAULT_CACHE_TTL_MS = 3600000; // 1 hour
+const DEFAULT_CLOCK_TOLERANCE_SEC = 30;
+export async function verify(token, options) {
+    try {
+        if (!token || typeof token !== "string")
+            return null;
+        const decoded = decodeJWT(token);
+        if (!decoded)
+            return null;
+        const { header, payload, signatureBytes, signedPart } = decoded;
+        // Extract kid
+        const kid = header.kid;
+        if (typeof kid !== "string") {
+            console.warn("[PayClaw verify] Token has no kid in header");
+            return null;
+        }
+        // Check alg
+        if (header.alg !== "ES256")
+            return null;
+        // Get keys
+        const jwksUri = options?.jwksUri ?? DEFAULT_JWKS_URI;
+        const cacheTtlMs = options?.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+        const keys = await getCachedKeys(jwksUri, cacheTtlMs);
+        const key = keys.get(kid);
+        if (!key)
+            return null;
+        // Verify signature
+        const signedData = new TextEncoder().encode(signedPart);
+        const sigBuf = new ArrayBuffer(signatureBytes.byteLength);
+        new Uint8Array(sigBuf).set(signatureBytes);
+        const dataBuf = new ArrayBuffer(signedData.byteLength);
+        new Uint8Array(dataBuf).set(signedData);
+        const valid = await globalThis.crypto.subtle.verify({ name: "ECDSA", hash: "SHA-256" }, key, sigBuf, dataBuf);
+        if (!valid)
+            return null;
+        // Check expiry
+        const clockToleranceSec = options?.clockToleranceSec ?? DEFAULT_CLOCK_TOLERANCE_SEC;
+        const now = Math.floor(Date.now() / 1000);
+        const exp = payload.exp;
+        if (typeof exp === "number" && now > exp + clockToleranceSec)
+            return null;
+        // Build identity
+        return {
+            userId: String(payload.sub ?? ""),
+            agentId: String(payload.agent_id ?? payload.agentId ?? ""),
+            intent: String(payload.intent ?? ""),
+            scopes: Array.isArray(payload.scopes) ? payload.scopes.map(String) : [],
+            merchantDomain: typeof payload.merchant_domain === "string" ? payload.merchant_domain : undefined,
+            issuedAt: typeof payload.iat === "number" ? payload.iat : 0,
+            expiresAt: typeof payload.exp === "number" ? payload.exp : 0,
+            kid,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Reset the JWKS cache. Useful for testing.
+ * @internal
+ */
+export function _resetCache() {
+    jwksCache = null;
+    jwksCacheUri = null;
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AA+BH,IAAI,SAAS,GAAqB,IAAI,CAAC;AACvC,IAAI,YAAY,GAAkB,IAAI,CAAC;AAEvC,gBAAgB;AAEhB,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC;IACtC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAChF,MAAM,cAAc,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAA4B;IACnD,IAAI,CAAC;QACH,OAAO,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAc,EACd,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAgB,EAChE,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,GAAW;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAqB,CAAC;IAE1C,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChE,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,OAAO,CAAC,IAAI,CAAC,wCAAwC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,IAA6B,CAAC;IAClC,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uEAAuE;IACvE,MAAM,OAAO,GAAG,CACd,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACtD,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtC,EAAE,CAC0B,CAAC;IAE/B,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO;YAAE,SAAS;QACrF,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,SAAS;YAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,UAAkB;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,SAAS,IAAI,YAAY,KAAK,GAAG,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,UAAU,EAAE,CAAC;QAClF,OAAO,SAAS,CAAC,IAAI,CAAC;IACxB,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAClB,SAAS,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC;QACrC,YAAY,GAAG,GAAG,CAAC;IACrB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,aAAa;AAEb,MAAM,gBAAgB,GAAG,oCAAoC,CAAC;AAC9D,MAAM,oBAAoB,GAAG,OAAO,CAAC,CAAC,SAAS;AAC/C,MAAM,2BAA2B,GAAG,EAAE,CAAC;AAEvC,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,KAAa,EACb,OAAuB;IAEvB,IAAI,CAAC;QACH,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAErD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QAEhE,cAAc;QACd,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACvB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,YAAY;QACZ,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO;YAAE,OAAO,IAAI,CAAC;QAExC,WAAW;QACX,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,gBAAgB,CAAC;QACrD,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,oBAAoB,CAAC;QAC/D,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAEtD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,mBAAmB;QACnB,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAC1D,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QACvD,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CACjD,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,GAAG,EACH,MAAM,EACN,OAAO,CACR,CAAC;QACF,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,eAAe;QACf,MAAM,iBAAiB,GAAG,OAAO,EAAE,iBAAiB,IAAI,2BAA2B,CAAC;QACpF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,GAAG,GAAG,GAAG,iBAAiB;YAAE,OAAO,IAAI,CAAC;QAE1E,iBAAiB;QACjB,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;YACjC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;YAC1D,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YACpC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE;YACvE,cAAc,EAAE,OAAO,OAAO,CAAC,eAAe,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;YACjG,QAAQ,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC3D,SAAS,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC5D,GAAG;SACJ,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,SAAS,GAAG,IAAI,CAAC;IACjB,YAAY,GAAG,IAAI,CAAC;AACtB,CAAC"}

package/dist/verify.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/verify.test.js

@@ -0,0 +1,177 @@
+import { describe, it, expect, beforeAll, beforeEach, afterEach, vi } from "vitest";
+import { verify, _resetCache } from "./verify.js";
+// ── Key pair generation ──
+let privateKey;
+let publicJWK;
+const KID = "test-key-v1";
+beforeAll(async () => {
+    const pair = await globalThis.crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
+    privateKey = pair.privateKey;
+    const pubExported = await globalThis.crypto.subtle.exportKey("jwk", pair.publicKey);
+    publicJWK = { ...pubExported, kid: KID, use: "sig", alg: "ES256" };
+});
+// ── JWT helpers ──
+function base64urlEncode(data) {
+    const bytes = typeof data === "string" ? new TextEncoder().encode(data) : data;
+    let binary = "";
+    for (const b of bytes)
+        binary += String.fromCharCode(b);
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function signJWT(payload, options) {
+    const header = { alg: options?.alg ?? "ES256", typ: "JWT", kid: options?.kid ?? KID };
+    const headerB64 = base64urlEncode(JSON.stringify(header));
+    const payloadB64 = base64urlEncode(JSON.stringify(payload));
+    const signedPart = `${headerB64}.${payloadB64}`;
+    const data = new TextEncoder().encode(signedPart);
+    const dataBuf = new ArrayBuffer(data.byteLength);
+    new Uint8Array(dataBuf).set(data);
+    const sig = await globalThis.crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, privateKey, dataBuf);
+    const sigB64 = base64urlEncode(new Uint8Array(sig));
+    return `${signedPart}.${sigB64}`;
+}
+function validPayload(overrides) {
+    const now = Math.floor(Date.now() / 1000);
+    return {
+        sub: "user-123",
+        agent_id: "agent-456",
+        intent: "buy coffee",
+        scopes: ["checkout:complete"],
+        merchant_domain: "starbucks.com",
+        iat: now - 60,
+        exp: now + 300,
+        ...overrides,
+    };
+}
+// ── Mock fetch ──
+function mockFetchJWKS() {
+    return vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response(JSON.stringify({ signing_keys: [publicJWK] }), { status: 200 }));
+}
+// ── Tests ──
+describe("verify()", () => {
+    beforeEach(() => {
+        _resetCache();
+    });
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+    it("verifies a valid token and returns PayClawIdentity", async () => {
+        const fetchMock = mockFetchJWKS();
+        const token = await signJWT(validPayload());
+        const result = await verify(token, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result).not.toBeNull();
+        const identity = result;
+        expect(identity.userId).toBe("user-123");
+        expect(identity.agentId).toBe("agent-456");
+        expect(identity.intent).toBe("buy coffee");
+        expect(identity.scopes).toEqual(["checkout:complete"]);
+        expect(identity.merchantDomain).toBe("starbucks.com");
+        expect(identity.kid).toBe(KID);
+        expect(identity.issuedAt).toBeGreaterThan(0);
+        expect(identity.expiresAt).toBeGreaterThan(0);
+        expect(fetchMock).toHaveBeenCalledOnce();
+    });
+    it("returns null for expired token", async () => {
+        mockFetchJWKS();
+        const token = await signJWT(validPayload({ exp: Math.floor(Date.now() / 1000) - 120 }));
+        const result = await verify(token, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result).toBeNull();
+    });
+    it("returns null for tampered token", async () => {
+        mockFetchJWKS();
+        const token = await signJWT(validPayload());
+        // Tamper with the payload (change sub) but keep original signature
+        const parts = token.split(".");
+        const tamperedPayload = base64urlEncode(JSON.stringify({ ...validPayload(), sub: "hacker" }));
+        const tampered = `${parts[0]}.${tamperedPayload}.${parts[2]}`;
+        const result = await verify(tampered, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result).toBeNull();
+    });
+    it("returns null for unknown kid", async () => {
+        mockFetchJWKS();
+        const token = await signJWT(validPayload(), { kid: "unknown-kid" });
+        const result = await verify(token, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result).toBeNull();
+    });
+    it("returns null for undefined input", async () => {
+        const result = await verify(undefined);
+        expect(result).toBeNull();
+    });
+    it("returns null for empty string input", async () => {
+        const result = await verify("");
+        expect(result).toBeNull();
+    });
+    it("returns null for malformed JWT (not 3 segments)", async () => {
+        mockFetchJWKS();
+        const result = await verify("not.a.valid.jwt.token", { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result).toBeNull();
+    });
+    it("returns null for malformed JWT (2 segments)", async () => {
+        const result = await verify("header.payload");
+        expect(result).toBeNull();
+    });
+    it("caches JWKS — does not re-fetch on second call", async () => {
+        const fetchMock = mockFetchJWKS();
+        const token1 = await signJWT(validPayload());
+        const token2 = await signJWT(validPayload({ sub: "user-789" }));
+        await verify(token1, { jwksUri: "https://test.local/.well-known/ucp" });
+        await verify(token2, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(fetchMock).toHaveBeenCalledOnce();
+    });
+    it("re-fetches JWKS after cache expires", async () => {
+        const fetchMock = mockFetchJWKS();
+        const token = await signJWT(validPayload());
+        // First call with very short TTL
+        await verify(token, { jwksUri: "https://test.local/.well-known/ucp", cacheTtlMs: 1 });
+        // Wait for cache to expire
+        await new Promise((r) => setTimeout(r, 10));
+        await verify(token, { jwksUri: "https://test.local/.well-known/ucp", cacheTtlMs: 1 });
+        expect(fetchMock).toHaveBeenCalledTimes(2);
+    });
+    it("returns null when JWKS endpoint is unreachable", async () => {
+        vi.spyOn(globalThis, "fetch").mockRejectedValue(new Error("network error"));
+        const token = await signJWT(validPayload());
+        const result = await verify(token, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result).toBeNull();
+    });
+    it("returns null for token with no kid in header", async () => {
+        mockFetchJWKS();
+        // Build a JWT manually without kid
+        const header = { alg: "ES256", typ: "JWT" };
+        const payload = validPayload();
+        const headerB64 = base64urlEncode(JSON.stringify(header));
+        const payloadB64 = base64urlEncode(JSON.stringify(payload));
+        const signedPart = `${headerB64}.${payloadB64}`;
+        const data = new TextEncoder().encode(signedPart);
+        const dataBuf = new ArrayBuffer(data.byteLength);
+        new Uint8Array(dataBuf).set(data);
+        const sig = await globalThis.crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, privateKey, dataBuf);
+        const token = `${signedPart}.${base64urlEncode(new Uint8Array(sig))}`;
+        const result = await verify(token, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result).toBeNull();
+    });
+    it("respects clockToleranceSec for recently expired tokens", async () => {
+        mockFetchJWKS();
+        // Token expired 10 seconds ago, tolerance is 30
+        const token = await signJWT(validPayload({ exp: Math.floor(Date.now() / 1000) - 10 }));
+        const result = await verify(token, {
+            jwksUri: "https://test.local/.well-known/ucp",
+            clockToleranceSec: 30,
+        });
+        expect(result).not.toBeNull();
+    });
+    it("returns identity with merchantDomain when present", async () => {
+        mockFetchJWKS();
+        const token = await signJWT(validPayload({ merchant_domain: "example.com" }));
+        const result = await verify(token, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result?.merchantDomain).toBe("example.com");
+    });
+    it("returns identity without merchantDomain when absent", async () => {
+        mockFetchJWKS();
+        const { merchant_domain: _, ...payloadNoMerchant } = validPayload();
+        const token = await signJWT(payloadNoMerchant);
+        const result = await verify(token, { jwksUri: "https://test.local/.well-known/ucp" });
+        expect(result?.merchantDomain).toBeUndefined();
+    });
+});
+//# sourceMappingURL=verify.test.js.map

package/dist/verify.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.test.js","sourceRoot":"","sources":["../src/verify.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACpF,OAAO,EAAE,MAAM,EAAE,WAAW,EAAwB,MAAM,aAAa,CAAC;AAExE,4BAA4B;AAE5B,IAAI,UAAqB,CAAC;AAC1B,IAAI,SAAkC,CAAC;AACvC,MAAM,GAAG,GAAG,aAAa,CAAC;AAE1B,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CACrD,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EACtC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;IACF,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;IAC7B,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IACpF,SAAS,GAAG,EAAE,GAAG,WAAW,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AACrE,CAAC,CAAC,CAAC;AAEH,oBAAoB;AAEpB,SAAS,eAAe,CAAC,IAAyB;IAChD,MAAM,KAAK,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/E,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAED,KAAK,UAAU,OAAO,CACpB,OAAgC,EAChC,OAAwC;IAExC,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,IAAI,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,IAAI,GAAG,EAAE,CAAC;IACtF,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAEhD,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACjD,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAC7C,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,UAAU,EACV,OAAO,CACR,CAAC;IACF,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACpD,OAAO,GAAG,UAAU,IAAI,MAAM,EAAE,CAAC;AACnC,CAAC;AAED,SAAS,YAAY,CAAC,SAAmC;IACvD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO;QACL,GAAG,EAAE,UAAU;QACf,QAAQ,EAAE,WAAW;QACrB,MAAM,EAAE,YAAY;QACpB,MAAM,EAAE,CAAC,mBAAmB,CAAC;QAC7B,eAAe,EAAE,eAAe;QAChC,GAAG,EAAE,GAAG,GAAG,EAAE;QACb,GAAG,EAAE,GAAG,GAAG,GAAG;QACd,GAAG,SAAS;KACb,CAAC;AACJ,CAAC;AAED,mBAAmB;AAEnB,SAAS,aAAa;IACpB,OAAO,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,iBAAiB,CACpD,IAAI,QAAQ,CACV,IAAI,CAAC,SAAS,CAAC,EAAE,YAAY,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,EAC7C,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CACF,CAAC;AACJ,CAAC;AAED,cAAc;AAEd,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;IACxB,UAAU,CAAC,GAAG,EAAE;QACd,WAAW,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QAEtF,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,MAAyB,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC9C,MAAM,CAAC,SAAS,CAAC,CAAC,oBAAoB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,aAAa,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC;QACxF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACtF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,aAAa,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;QAC5C,mEAAmE;QACnE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,YAAY,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC9F,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,eAAe,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACzF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,aAAa,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,EAAE,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC,CAAC;QACpE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACtF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAA8B,CAAC,CAAC;QAC5D,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,EAAE,CAAC,CAAC;QAChC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,aAAa,EAAE,CAAC;QAChB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,uBAAuB,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACxG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;QAEhE,MAAM,MAAM,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACxE,MAAM,MAAM,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QAExE,MAAM,CAAC,SAAS,CAAC,CAAC,oBAAoB,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;QAE5C,iCAAiC;QACjC,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC;QAEtF,2BAA2B;QAC3B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QAE5C,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC;QAEtF,MAAM,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;QAC5E,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACtF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,aAAa,EAAE,CAAC;QAChB,mCAAmC;QACnC,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,YAAY,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5D,MAAM,UAAU,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QAChD,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjD,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAC7C,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,UAAU,EACV,OAAO,CACR,CAAC;QACF,MAAM,KAAK,GAAG,GAAG,UAAU,IAAI,eAAe,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAEtE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACtF,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,aAAa,EAAE,CAAC;QAChB,gDAAgD;QAChD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;QACvF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE;YACjC,OAAO,EAAE,oCAAoC;YAC7C,iBAAiB,EAAE,EAAE;SACtB,CAAC,CAAC;QACH,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,aAAa,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACtF,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,aAAa,EAAE,CAAC;QAChB,MAAM,EAAE,eAAe,EAAE,CAAC,EAAE,GAAG,iBAAiB,EAAE,GAAG,YAAY,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,oCAAoC,EAAE,CAAC,CAAC;QACtF,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,aAAa,EAAE,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -1,9 +1,13 @@
 {
   "name": "@payclaw/badge",
-  "version": "0.7.1",
+  "version": "0.8.0",
   "description": "Prove your agent is an authorized actor, not a bot. MCP-native identity declaration for agent commerce.",
   "bin": "dist/index.js",
   "main": "dist/index.js",
+  "exports": {
+    ".": "./dist/index.js",
+    "./verify": "./dist/verify.js"
+  },
   "type": "module",
   "engines": {
     "node": ">=20.0.0"
@@ -20,8 +24,8 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0",
-    "zod": "^4.3.6"
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "zod": "^3.24.0 || ^4.0.0"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",